def test_14_send_to_adminrealm(self): # setup realms self.setUp_user_realms() r = add_smtpserver(identifier="myserver", server="1.2.3.4", tls=False) self.assertTrue(r > 0) smtpmock.setdata(response={"*****@*****.**": (200, "OK")}, support_tls=False) g = FakeFlaskG() audit_object = FakeAudit() audit_object.audit_data["serial"] = "123456" g.logged_in_user = {"user": "******", "role": "admin", "realm": ""} g.audit_object = audit_object builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"serial": "SomeSerial", "user": "******"} req.User = User("cornelius", self.realm1) resp = Response() resp.data = """{"result": {"value": true}, "detail": {"registrationcode": "12345678910"} } """ # send email to user in adminrealm "realm1" # Although this is no admin realm, but this realm contains some email # addresses. options = { "g": g, "request": req, "response": resp, "handler_def": { "conditions": { "serial": "123.*" }, "options": { "body": "your {registrationcode}", "emailconfig": "myserver", "To": NOTIFY_TYPE.ADMIN_REALM, "To " + NOTIFY_TYPE.ADMIN_REALM: "realm1" } } } un_handler = UserNotificationEventHandler() res = un_handler.do("sendmail", options=options) self.assertTrue(res)
def test_14_otppin_priority(self): my_user = User("cornelius", realm="r1") set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE), priority=2) set_policy(name="pol2", scope=SCOPE.AUTH, action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.TOKENPIN), priority=2) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # error because of conflicting policies with self.assertRaises(PolicyError): auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user) # lower pol2 priority set_policy(name="pol2", priority=3) g.policy_object.reload_from_db() # NONE with empty PIN -> success r = auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user) self.assertTrue(r) # NONE with empty PIN -> success, even if the authentication is done # for a serial and not a user, since the policy holds for all realms token = init_token({"type": "HOTP", "otpkey": "1234"}) r = auth_otppin(self.fake_check_otp, token, "", options=options, user=None) self.assertTrue(r) # NONE with some pin -> fail r = auth_otppin(self.fake_check_otp, None, "some pin", options=options, user=my_user) self.assertFalse(r) # increase pol2 priority set_policy(name="pol2", priority=1) g.policy_object.reload_from_db() r = auth_otppin(self.fake_check_otp, None, "FAKE", options=options, user=my_user) self.assertTrue(r) r = auth_otppin(self.fake_check_otp, None, "Wrong Pin", options=options, user=my_user) self.assertFalse(r) delete_policy("pol1") delete_policy("pol2")
def test_18_challenges(self): db_token = Token.query.filter_by(serial=self.serial1).first() token = HotpTokenClass(db_token) transaction_id = "123456789" resp = token.is_challenge_response( User(login="******", realm=self.realm1), "test123456") self.assertFalse(resp, resp) C = Challenge(self.serial1, transaction_id=transaction_id, challenge="Who are you?") C.save() resp = token.is_challenge_response( User(login="******", realm=self.realm1), "test123456", options={"transaction_id": transaction_id}) self.assertTrue(resp, resp) # test if challenge is valid self.assertTrue(C.is_valid())
def test_17_check_nonascii_user(self): realm = u"sqlrealm" resolver = u"SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # check non-ascii password of non-ascii user self.assertFalse( User(login=u"nönäscii", realm=realm).check_password("wrong")) self.assertTrue( User(login=u"nönäscii", realm=realm).check_password(u"sömepassword")) # check proper unicode() and str() handling user_object = User(login=u"nönäscii", realm=realm) if six.PY2: self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>') self.assertEqual(str(user_object), '<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>') else: self.assertEqual(six.text_type(user_object), u'<nönäscii.SQL1@sqlrealm>') self.assertEqual( six.text_type(user_object).encode('utf8'), b'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>') # also check the User object representation user_repr = repr(user_object) if six.PY2: self.assertEqual( "User(login=u'n\\xf6n\\xe4scii', " "realm=u'sqlrealm', resolver=u'SQL1')", user_repr, user_repr) else: self.assertEqual( "User(login='******', " "realm='sqlrealm', resolver='SQL1')", user_repr, user_repr)
def _get_tokenowner(request): user = request.User serial = request.all_data.get("serial") if user.is_empty() and serial: # maybe the user is empty, but a serial was passed. # Then we determine the user by the serial try: user = get_token_owner(serial) or User() except Exception as exx: user = User() # This can happen for orphaned tokens. log.info("Could not determine tokenowner for {0!s}. Maybe the " "user does not exist anymore.".format(serial)) log.debug(exx) # If the user does not exist, we set an empty user if not user.exist(): user = User() return user
def create_token(serial, username): app = create_app(config_name="production", config_file="/etc/privacyidea/pi.cfg", silent=True) with app.app_context(): # Set global values params = {"type": TOKENTYPE} if username: user = User(username, REALM) else: user = User() if serial: params["serial"] = serial password = generate_password(size=PW_LEN, characters=BASE58) params["otplen"] = PW_LEN params["otpkey"] = password tok = init_token(params, user) return tok.token.serial, password
def test_04_user_can_not_lost_another_token(self): self.authenticate_selfservice_user() assign_token(self.foreign_serial, User("cornelius", self.realm1)) with self.app.test_request_context('/token/lost/{0!s}'.format( self.foreign_serial), method='POST', headers={'Authorization': self.at_user}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 400, res)
def test_41_get_tokens_paginate(self): # create some tokens for serial in ["S1", "S2", "S3", "A8", "B", "X"]: init_token({ "serial": serial, "type": "hotp", "otpkey": self.otpkey, "realm": self.realm1 }) token_count = 15 # return pagination tokens = get_tokens_paginate(sortby=Token.serial, page=1, psize=5) self.assertTrue( len(tokens.get("tokens")) == 5, len(tokens.get("tokens"))) self.assertEqual(tokens.get("count"), token_count) self.assertTrue(tokens.get("next") == 2, tokens.get("next")) self.assertTrue(tokens.get("prev") is None, tokens.get("prev")) tokens = get_tokens_paginate(sortby=Token.serial, page=2, psize=5) self.assertEqual(len(tokens.get("tokens")), 5) self.assertEqual(tokens.get("count"), token_count) self.assertEqual(tokens.get("next"), 3) self.assertEqual(tokens.get("prev"), 1) tokens = get_tokens_paginate(sortby=Token.serial, page=3, psize=5) self.assertEqual(len(tokens.get("tokens")), 4) self.assertEqual(tokens.get("count"), token_count) self.assertEqual(tokens.get("next"), None) self.assertEqual(tokens.get("prev"), 2) # Test filtering and sorting tokens = get_tokens_paginate(assigned=True, page=1) self.assertTrue( len(tokens.get("tokens")) == 2, len(tokens.get("tokens"))) self.assertTrue(tokens.get("count") == 2, tokens.get("count")) self.assertTrue(tokens.get("next") is None, tokens.get("next")) self.assertTrue(tokens.get("prev") is None, tokens.get("prev")) tokens = get_tokens_paginate(sortby=Token.serial, page=1, sortdir="desc") self.assertTrue(len(tokens.get("tokens")), token_count - 1) self.assertEqual(tokens.get("count"), token_count) self.assertTrue(tokens.get("next") is None, tokens.get("next")) self.assertTrue(tokens.get("prev") is None, tokens.get("prev")) # Test to retrieve tokens of user cornelius tokens = get_tokens_paginate(user=User("cornelius", "realm1")) self.assertTrue( len(tokens.get("tokens")) == 2, len(tokens.get("tokens"))) # test to retrieve tokens with not strict serial matching tokens = get_tokens_paginate(serial="hotp*") self.assertTrue( len(tokens.get("tokens")) == 1, len(tokens.get("tokens")))
def test_19_smstext(self): # The single quotes in the smstext "'Your <otp>'" is legacy and results in # the string without single quotes "Your <otp>". smstext_tests = { "'Your <otp>'": r"Your [0-9]{6}", "Your <otp>": r"Your [0-9]{6}", "{user} has the OTP: {otp}": r"Cornelius has the OTP: [0-9]{6}" } for pol_text, result_text in smstext_tests.items(): # create a SMSTEXT policy: p = set_policy(name="smstext", action="{0!s}={1!s}".format(SMSACTION.SMSTEXT, pol_text), scope=SCOPE.AUTH) self.assertTrue(p > 0) g = FakeFlaskG() P = PolicyClass() g.audit_object = FakeAudit() g.policy_object = P options = {"g": g, "user": User("cornelius", self.realm1)} responses.add(responses.POST, self.SMSHttpUrl, body=self.success_body) set_privacyidea_config("sms.providerConfig", self.SMSProviderConfig) db_token = Token.query.filter_by(serial=self.serial1).first() token = SmsTokenClass(db_token) c = token.create_challenge(options=options) self.assertTrue(c[0], c) display_message = c[1] self.assertEqual(display_message, _("Enter the OTP from the SMS:")) self.assertEqual(c[3].get("state"), None) smstext = token._get_sms_text(options) self.assertEqual(pol_text.strip("'"), smstext) r, message = token._send_sms(smstext, options) self.assertRegexpMatches(message, result_text) # Test AUTOSMS p = set_policy(name="autosms", action=SMSACTION.SMSAUTO, scope=SCOPE.AUTH) self.assertTrue(p > 0) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} r = token.check_otp(self.valid_otp_values[5 + len(smstext_tests)], options=options) self.assertTrue(r > 0, r)
def test_16_init_detail(self): db_token = Token.query.filter_by(serial=self.serial2).first() token = MotpTokenClass(db_token) token.add_init_details("otpkey", "11223344556677889900") token.set_user(User(login="******", realm=self.realm1)) token.save() self.assertTrue(token.token.resolver_type == "passwdresolver", token.token.resolver_type) self.assertTrue(token.token.resolver == self.resolvername1, token.token.resolver) self.assertTrue(token.token.user_id == "1000", token.token.user_id) user_object = token.user self.assertTrue(user_object.login == "cornelius", user_object) self.assertTrue(user_object.resolver == self.resolvername1, user_object) detail = token.get_init_detail() self.assertTrue("otpkey" in detail, detail) # but the otpkey must not be written to token.token.info (DB) # As this only writes the OTPkey to the internal init_details dict self.assertTrue("otpkey" not in token.token.get_info(), token.token.get_info()) # Now get the Token2 URL, which we only # get, if a user is specified. detail = token.get_init_detail(user=User("cornelius", self.realm1)) self.assertTrue("otpkey" in detail, detail) otpkey = detail.get("otpkey") self.assertTrue("img" in otpkey, otpkey) self.assertTrue("motpurl" in detail, detail) motpurl = detail.get("motpurl").get("value") self.assertTrue(motpurl == 'motp://privacyidea:mylabel?' 'secret=11223344556677889900', motpurl) self.assertRaises(Exception, token.set_init_details, "unvalid value") token.set_init_details({"detail1": "value1"}) self.assertTrue("detail1" in token.get_init_details(), token.get_init_details())
def reassign_token(serial, username): app = Flask(__name__, static_folder="static", template_folder="static/templates") app.config.from_pyfile("/etc/privacyidea/pi.cfg", silent=True) db = SQLAlchemy() db.init_app(app) with app.app_context(): # Set global values unassign_token(serial) assign_token(serial, User(username, NEW_REALM))
def test_10_check_user_password(self): (added, failed) = set_realm("passwordrealm", [self.resolvername3]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) self.assertTrue( User(login="******", realm="passwordrealm").check_password("test")) self.assertFalse( User(login="******", realm="passwordrealm").check_password("wrong")) self.assertFalse( User(login="******", realm="passwordrealm").check_password("wrong")) # test cornelius@realm2, since he is located in more than one # resolver. self.assertEqual( User(login="******", realm="realm2").check_password("test"), None)
def test_17_check_nonascii_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # check non-ascii password of non-ascii user self.assertFalse( User(login=u"nönäscii", realm=realm).check_password("wrong")) self.assertTrue( User(login=u"nönäscii", realm=realm).check_password(u"sömepassword"))
def test_07_login_mode(self): # a realm: cornelius@r1: PW: test def check_webui_user_userstore(user_obj, password, options=None, superuser_realms=None, check_otp=False): self.assertEqual(check_otp, False) def check_webui_user_privacyidea(user_obj, password, options=None, superuser_realms=None, check_otp=False): self.assertEqual(check_otp, True) user_obj = User("cornelius", "r1") g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # No policy, the function is called with check_otp=False login_mode(check_webui_user_userstore, user_obj, "", options=options, superuser_realms="", check_otp=False) set_policy(name="pol2", scope=SCOPE.WEBUI, action="{0!s}={1!s}".format(ACTION.LOGINMODE, LOGINMODE.PRIVACYIDEA)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # Policy is set, the function is called with check_otp=True login_mode(check_webui_user_privacyidea, user_obj, "", options=options, superuser_realms="", check_otp=False) # Set policy, so that the user is not allowed to login at all set_policy(name="pol2", scope=SCOPE.WEBUI, action="{0!s}={1!s}".format(ACTION.LOGINMODE, LOGINMODE.DISABLE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # Policy is set. Trying to login raises a policy error self.assertRaises(PolicyError, login_mode, check_webui_user_privacyidea, user_obj, "", options=options, superuser_realms="", check_otp=False) delete_policy("pol2")
def test_02_get_auth_item(self): serial = "ssh1" # create realm self.setUp_user_realms() user = User("cornelius", realm=self.realm1) # create ssh token init_token({"serial": serial, "type": "sshkey", "sshkey": SSHKEY}, user=user) auth_item = SSHApplication.get_authentication_item("sshkey", serial) self.assertEqual(auth_item.get("sshkey"), SSHKEY) self.assertEqual(auth_item.get("username"), "cornelius")
def test_00_create_realms(self): self.setUp_user_realms() # create a token and assign it to the user db_token = Token(self.serials[0], tokentype="hotp") db_token.update_otpkey(self.otpkey) db_token.save() token = HotpTokenClass(db_token) self.assertTrue(token.token.serial == self.serials[0], token) token.set_user(User("cornelius", self.realm1)) token.set_pin("pin") self.assertTrue(token.token.user_id == "1000", token.token.user_id)
def test_02_userstore_password(self): # create a realm, where cornelius has a password test rid = save_resolver({ "resolver": "myreso", "type": "passwdresolver", "fileName": PWFILE2 }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm("r1", ["myreso"]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # now create a policy with userstore PW set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.USERSTORE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # Wrong password r = auth_otppin(self.fake_check_otp, None, "WrongPW", options=options, user=User("cornelius", realm="r1")) self.assertFalse(r) # Correct password from userstore: "test" r = auth_otppin(self.fake_check_otp, None, "test", options=options, user=User("cornelius", realm="r1")) self.assertTrue(r) delete_policy("pol1")
def test_11_cache_expiration(self): # delete user_cache r = delete_user_cache() self.assertTrue(r >= 0) # populate the cache with artificial, somewhat "old", but still relevant data timestamp = datetime.now() - timedelta(seconds=300) UserCache("hans1", "hans1", "resolver1", "uid1", timestamp).save() UserCache("hans2", "hans2", "resolver1", "uid2", timestamp).save() # check that the cache is indeed queried self.assertEqual(get_username("uid1", "resolver1"), "hans1") self.assertEqual(User("hans2", "realm1", "resolver1").uid, "uid2") # check that the (non-existent) resolver is queried # for entries not contained in the cache self.assertEqual(get_username("uid3", "resolver1"), "") # TODO: Interestingly, if we mock `datetime` here to increase the time by one # day, this test works, but a subsequent test (test_ui_certificate) will fail # with weird error messages. So we do not use the datetime mock for now. #with self._patch_datetime_now('privacyidea.lib.usercache.datetime.datetime') as mock_datetime: with patch('privacyidea.lib.usercache.get_cache_time' ) as mock_get_cache_time: # Instead, we just decrease the cache time from 600 to 60 seconds, # which causes the entries above to be considered expired mock_get_cache_time.return_value = timedelta(seconds=60) # check that the cached entries are not queried anymore self.assertEqual(UserCache.query.count(), 2) self.assertEqual(get_username("uid1", "resolver1"), "") with self.assertRaises(UserError): User("hans2", "realm1", "resolver1") self.assertEqual(get_username("uid3", "resolver1"), "") # We add another, "current" entry UserCache("hans4", "hans4", "resolver1", "uid4", datetime.now()).save() self.assertEqual(UserCache.query.count(), 3) # we now remove old entries, only the newest remains delete_user_cache(expired=True) self.assertEqual(UserCache.query.count(), 1) self.assertEqual(UserCache.query.one().user_id, "uid4") # clean up delete_user_cache()
def test_03a_api_authenticate_fail(self): # This tests the failed to communicate to the firebase service self.setUp_user_realms() # get enrolled push token toks = get_tokens(tokentype="push") self.assertEqual(len(toks), 1) tokenobj = toks[0] # set PIN tokenobj.set_pin("pushpin") tokenobj.add_user(User("cornelius", self.realm1)) # We mock the ServiceAccountCredentials, since we can not directly contact the Google API with mock.patch( 'privacyidea.lib.smsprovider.FirebaseProvider.ServiceAccountCredentials' ) as mySA: # alternative: side_effect instead of return_value mySA.from_json_keyfile_name.return_value = myCredentials( myAccessTokenInfo("my_bearer_token")) # add responses, to simulate the failing communication (status 500) responses.add( responses.POST, 'https://fcm.googleapis.com/v1/projects/test-123456/messages:send', body="""{}""", status=500, content_type="application/json") # Send the first authentication request to trigger the challenge with self.app.test_request_context('/validate/check', method='POST', data={ "user": "******", "realm": self.realm1, "pass": "******" }): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 400, res) jsonresp = res.json self.assertFalse(jsonresp.get("result").get("status")) self.assertEqual( jsonresp.get("result").get("error").get("code"), 401) self.assertEqual( jsonresp.get("result").get("error").get("message"), "ERR401: Failed to submit " "message to firebase service.") # Our ServiceAccountCredentials mock has been called once, because no access token has been fetched before self.assertEqual(len(mySA.from_json_keyfile_name.mock_calls), 1) self.assertIn(FIREBASE_FILE, get_app_local_store()["firebase_token"])
def test_02_check_recoverycode(self): smtpmock.setdata(response={"*****@*****.**": (200, "OK")}) recoverycode = "reccode" user = User("cornelius", self.realm1) r = create_recoverycode(user, recoverycode=recoverycode) self.assertEqual(r, True) r = check_recoverycode(user, recoverycode) self.assertEqual(r, True) # The recovery code is not valid a second time r = check_recoverycode(user, recoverycode) self.assertEqual(r, False)
def test_18_challenges(self): db_token = Token.query.filter_by(serial=self.serial1).first() token = TokenClass(db_token) transaction_id = "123456789" db_token.set_pin("test") # No challenge request req = token.is_challenge_request( "test", User(login="******", realm=self.realm1)) self.assertFalse(req, req) # A challenge request req = token.is_challenge_request( "test", User(login="******", realm=self.realm1), {"data": "a challenge"}) self.assertTrue(req, req) resp = token.is_challenge_response( User(login="******", realm=self.realm1), "test123456") self.assertFalse(resp, resp) resp = token.is_challenge_response( User(login="******", realm=self.realm1), "test123456", options={"transaction_id": transaction_id}) # The token has not DB entry in the challenges table self.assertFalse(resp) # Create a challenge C = Challenge(serial=self.serial1, transaction_id=transaction_id, challenge="12") C.save() resp = token.is_challenge_response( User(login="******", realm=self.realm1), "test123456", options={"transaction_id": transaction_id}) self.assertTrue(resp) # test if challenge is valid self.assertTrue(C.is_valid())
def test_24_challenge_text(self): g = FakeFlaskG() g.client_ip = "10.0.0.1" options = {"g": g, "user": User("cornelius", self.realm1)} set_policy("chaltext", scope=SCOPE.AUTH, action="{0!s}=Wo du wolle?".format(ACTION.CHALLENGETEXT)) g.policy_object = PolicyClass() val = get_action_values_from_options(SCOPE.AUTH, ACTION.CHALLENGETEXT, options) self.assertEqual(val, u"Wo du wolle?") delete_policy("chaltext")
def test_02_set_user(self): db_token = Token.query.filter_by(serial=self.serial1).first() token = TokenClass(db_token) self.assertTrue(token.token.tokentype == "newtype", token.token.tokentype) self.assertTrue(token.type == "newtype", token.type) token.add_user(User(login="******", realm=self.realm1)) user_object = token.user self.assertTrue(user_object.login == "cornelius", user_object) self.assertTrue(user_object.resolver == self.resolvername1, user_object)
def before_request(): """ This is executed before the request """ ensure_no_config_object() request.all_data = get_all_params(request) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.event_config = EventConfiguration() # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) # Save the HTTP header in the localproxy object g.request_headers = request.headers g.serial = getParam(request.all_data, "serial", default=None) g.audit_object.log({ "success": False, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": "" }) username = getParam(request.all_data, "username") if username: # We only fill request.User, if we really have a username. # On endpoints like /auth/rights, this is not available loginname, realm = split_user(username) # overwrite the split realm if we have a realm parameter. Default back to default_realm realm = getParam(request.all_data, "realm", default=realm) or realm or get_default_realm() # Prefill the request.User. This is used by some pre-event handlers try: request.User = User(loginname, realm) except Exception as e: request.User = None log.warning( u"Problem resolving user {0!s} in realm {1!s}: {2!s}.".format( loginname, realm, e)) log.debug(u"{0!s}".format(traceback.format_exc()))
def assign_user(resolver, realm, username, email, givenname, surname, serial, pin): app = create_app(config_name="production", config_file="/etc/privacyidea/pi.cfg", silent=True) with app.app_context(): # User operations try: print("+ Processing user {0!s} in {1!s}/{2!s}.".format(username, resolver, realm)) user_obj = User(username, realm, resolver=resolver) except UserError as err: sys.stderr.write(" +-- Failed finding user: {0!s}.\n".format(err)) return if not user_obj.exist(): print(" +- Creating user {0!s} in {1!s}/{2!s}.".format(username, resolver, realm)) try: create_user(resolver, {"username": username, "email": email, "givenname": givenname, "surname": surname}, password="") user_obj = User(username, realm, resolver=resolver) except UserError as err: sys.stderr.write("+-- Failed to create user: {0!s}.\n".format(err)) return except Exception as err: sys.stderr.write("+-- Failed to create user: {0!s}.\n".format(err)) return # Token operations try: print(" +- Processing token {0!s}".format(serial)) t = assign_token(serial, user_obj, pin) print(" +-- Assigned token to user {0!s}.".format(user_obj)) except TokenAdminError as err: sys.stderr.write(" +-- Failed assigning token {0!s}: {1!s}.\n".format(serial, err)) except ResourceNotFoundError as err: sys.stderr.write(" +-- Failed assigning token {0!s}: {1!s}.\n".format(serial, err))
def test_02_set_user(self): db_token = Token.query.filter_by(serial=self.serial1).first() token = TotpTokenClass(db_token) self.assertTrue(token.token.tokentype == "totp", token.token.tokentype) self.assertTrue(token.type == "totp", token.type) token.add_user(User(login="******", realm=self.realm1)) self.assertEqual(token.token.first_owner.resolver, self.resolvername1) self.assertEqual(token.token.first_owner.user_id, "1000") user_object = token.user self.assertTrue(user_object.login == "cornelius", user_object) self.assertTrue(user_object.resolver == self.resolvername1, user_object)
def test_04_user_can_not_delete_another_token(self): self.authenticate_selfservice_user() assign_token(self.foreign_serial, User("cornelius", self.realm1)) with self.app.test_request_context('/token/{0!s}'.format(self.foreign_serial), method='DELETE', headers={'Authorization': self.at_user}): res = self.app.full_dispatch_request() self.assertEqual(res.status_code, 404) response = json.loads(res.data.decode('utf8')) self.assertFalse(response["result"]["status"]) # check if the token still exists! tokenobject_list = get_tokens(serial=self.foreign_serial) self.assertTrue(len(tokenobject_list) == 1, len(tokenobject_list))
def test_18_user_with_several_phones(self): ldap3mock.setLDAPDirectory(LDAPDirectory_small) params = ({ 'LDAPURI': 'ldap://localhost', 'LDAPBASE': 'o=test', 'BINDDN': 'cn=manager,ou=example,o=test', 'BINDPW': 'ldaptest', 'LOGINNAMEATTRIBUTE': 'cn', 'LDAPSEARCHFILTER': '(|(cn=*))', # we use this weird search filter to get a unique resolver ID 'USERINFO': '{ "username": "******",' '"phone" : "telephoneNumber", ' '"mobile" : "mobile"' ', "email" : "mail", ' '"surname" : "sn", ' '"givenname" : "givenName" }', 'UIDTYPE': 'objectGUID', 'NOREFERRALS': True, 'CACHE_TIMEOUT': 0 }) params["resolver"] = "ldapresolver" params["type"] = "ldapresolver" rid = save_resolver(params) self.assertTrue(rid > 0) (added, failed) = set_realm("ldap", ["ldapresolver"]) self.assertEqual(len(added), 1) self.assertEqual(len(failed), 0) u = User("salesman", "ldap") # get the complete list r = u.get_user_phone("mobile") self.assertEqual(r, ["1234", "3456"]) # get the first entry r = u.get_user_phone("mobile", index=0) self.assertEqual(r, "1234") # Index out of range r = u.get_user_phone("mobile", index=2) self.assertEqual(r, "") delete_realm("ldap") delete_resolver("ldapresolver")
def test_01_tiqr(self): init_token({"serial": "TIQR1", "type": "tiqr"}, User("cornelius", self.realm1)) with self.app.test_request_context('/ttype/tiqr', method='POST', data={"action": "metadata", "serial": "TIQR1", "session": "12345"}): res = self.app.full_dispatch_request() data = json.loads(res.data.decode('utf8')) identity = data.get("identity") service = data.get("service") self.assertEqual(identity.get("displayName"), "Cornelius ") self.assertEqual(service.get("displayName"), "privacyIDEA")
def _get_tokenowner(request): user = request.User serial = request.all_data.get("serial") if user.is_empty() and serial: # maybe the user is empty, but a serial was passed. # Then we determine the user by the serial try: user = get_token_owner(serial) or User() except Exception as exx: user = User() # This can happen for orphaned tokens. log.info("Could not determine tokenowner for {0!s}. Maybe the " "user does not exist anymore.".format(serial)) log.debug(exx) # We now check, if the user exists at all! try: ui = user.info except UserError as exx: if exx.id == 905: user = User() else: raise exx return user